elsa-workflows/elsa-core 3.6.2
on GitHub

4 hours ago

Elsa 3.6.2 is a patch release that addresses a NuGet security warning caused by a vulnerable transitive dependency.

Security

Fixed NU1903 warnings/errors for Snappier 1.2.0, which has a known high-severity vulnerability: GHSA-pggp-6c3x-2xmx.
Elsa did not reference Snappier directly; it was introduced transitively through:
```
Elsa.Common -> IronCompress 1.7.0 -> Snappier 1.2.0
```
Elsa now explicitly pins Snappier to 1.3.1, the first patched version.

Notes

We investigated replacing IronCompress, but it is used by Elsa’s Zstd compression codec.
Factoring out IronCompress would require changing compression behavior and validating compatibility with already persisted compressed workflow data.
For a patch release, overriding the vulnerable transitive dependency is the safest and least disruptive fix.

Validation

Confirmed that dotnet list Elsa.sln package --include-transitive resolves Snappier to 1.3.1.
Confirmed that NU1903 is no longer reported for Snappier.
Confirmed that Elsa.Common builds successfully.

Full Changelog: 3.6.1...3.6.2

Check out latest releases or
releases around elsa-workflows/elsa-core 3.6.2

Don't miss a new elsa-core release

NewReleases is sending notifications on new releases.

Get notifications